Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

The advisory also states that this patch, MS04-040, supercedes and replaces an earlier cumulative update, MS04-038.

But it may not contain hotfixes that were issued since the release of MS04-038, so users who have received hotfixes from Microsoft or another support provider should instead follow separate instructions in Knowledge Base article 889669.

The vulnerability is a buffer overflow in the handling of IFRAME and EMBED tags. By providing oversized source fields for those tags, an attacker could potentially execute arbitrary code on the users system.

Normally, one would be subject to attack by browsing a Web page that has the attack built into it, but with very old, unpatched e-mail clients, it is also possible to be compromised through HTML e-mail.

Both Windows XP SP2 and Windows Server 2003 are unaffected by the bug, as are 5.x versions of Internet Explorer. Patches are available for Windows XP, Windows 2000, Windows NT 4.0, Windows ME and Windows 98.

Not long after the IE vulnerability details were made public, it was discovered that certain ad servers had been compromised by hackers to deliver the attack to users.

The vulnerabilitys severity is underscored by the fact that this is only the second time that Microsoft has issued an out-of-cycle security patch since it instituted its monthly patch cycles in November 2003. The first out-of-cycle patch, in February, addressed a group of serious Internet Explorer problems.

The incident with the compromised ad servers was not the only exploit of this problem since it was revealed in early November. "There have been several worms and Trojans that have attacked computers vulnerable to this bug over the last few weeks, so its encouraging to see Microsoft go out of cycle to address it," said Ken Dunham, director of malicious code at security firm iDefense Inc.

A major motivation behind introducing a regular monthly patch cycle was to allow administrators to plan for patching in an organized, informed manner. Just recently, Microsoft began giving advance notice—three business days in advance of patch day—of the number of patches involved and the products affected, in order to enhance that ability to plan.

But this particular vulnerability is serious enough that other plans may get shelved. "Administrators will be looking to test and deploy this patch as soon as its feasible," Dunham said.

Also today, Microsoft is making a change to Windows Update for three previously released security updates. Microsoft discovered that customers running Windows XP SP1 have not been offered the updates that apply to their computers from the October monthly release.

Microsoft attributed this to the fact that these updates are already included in Windows XP SP2, and this is the update that Windows Update and Automatic Updates presents to these users.

The company said it continues to encourage customers to install Windows XP SP2, but it is making the October updates available Wednesday to all Windows XP SP1 users to help ensure that they are protected in the meantime.

Editors Note: This story was updated to include comments from iDefense and further details.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.